CSS SERVICES, INC. PRIVACY POLICY

(Last Updated: June 30, 2026)

CSS Services, Inc. (“CSS,” “we,” “us,” or “our”) respects your privacy and is committed to protecting it through our compliance with this Privacy Policy (“Policy”). This Policy describes:
(1) the types of information we may collect from you or that you may provide when you browse, access, or otherwise use: (i) our website at www.CsSServicesInc.com (our “Website”); (ii) our OPTIRENT software (“Software”) accessible at www.optirent.cssservicesinc.com; and/or (iii) any of CSS’s services, products, other websites, Software, or mobile applications (collectively, “Services”); and
(2) our practices for collecting, using, maintaining, protecting, and disclosing that information.
This Policy does not apply to: 1) information that you provide to any third party that may be accessible from or on our Website and/or Software; and 2) information collected by any other third party website, as they may have their own privacy policies, which we encourage you to read before providing information on or through them.
Please read this Policy carefully to understand our policies and practices regarding your information and how we will treat it. IF YOU DO NOT AGREE WITH THIS POLICY, YOU MAY NOT ACCESS OR USE OUR WEBSITE OR SERVICES. By accessing or using our Website or Services, you agree to this Policy. This Policy may change from time to time. Your continued use of our Website or Services after we make changes is deemed acceptance of those changes. We encourage you to check this Policy periodically for updates.

1. WHO WE ARE AND HOW TO CONTACT US
CSS Services, Inc.
P.O. Box 451027
Atlanta, Georgia 31145-9027

Email: support@cssservicesinc.com
Phone: (770) 491-0522
Website: https://cssservicesinc.com

For privacy-related inquiries, please contact our Privacy Contact at the email or mailing address above.

1.1 Information We Process on Behalf of Our Customers

CSS provides software and related services to property managers, landlords, and other business customers. As part of those services, our customers may upload or otherwise provide Personal Information about tenants, applicants, residents, owners, guarantors, vendors, or other individuals (“Customer Data”).

For Customer Data processed through our Software, CSS generally processes the information on behalf of and under the instructions of our customer in accordance with our agreements with that customer. In those circumstances, the customer determines the purposes for which the information is collected and used.

If your Personal Information was submitted to CSS by one of our customers, you may need to direct certain privacy requests to that customer. Where appropriate, CSS will assist its customers in responding to privacy requests as required by applicable law and our contractual obligations.

2. SCOPE OF THIS POLICY

This Policy applies to information that you provide or that we otherwise collect via the Website, Software, and/or other Services.  This includes, but is not limited to, information contained in e-mails, text messages, and/or other electronic communications between you and us.  We also collect certain information automatically when you use or interact with the Website, Software, or other Services or when you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this Policy.

This Policy does not apply to information collected by any third party, including through any application or content that may be linked to or be accessible from our Website.

3. INFORMATION WE COLLECT

3.1 What We Collect

When you interact or use our Website and/or Software, we may collect, or you may provide, the following categories of information:

  1. Information by which you may be personally identified, such as, your name, alias, postal address, signature, email address, account name, user name, social security number, driver’s license number, telephone number, employer, job title, job industry, financial information and/or any other identifier by which you may be contacted online or offline (collectively referred to as “Personal Information,” which includes, but is not limited to, such information as described in Civ. Code § 1798.80);
  2. Information that is associated with you, but does not individually identify you, such as, for example, information you provide by filling in forms on our Website, registering to use our Software, and/or creating an account, including information about the best way to contact you, the type of Services you are interested in, and/or scheduling a demo of our Software;
  3. Information that you provide in response to surveys that we might ask you to complete for research, advertising, and/or business purposes;
  4. Information you provide when you enter a contest or promotion sponsored by us, or when you report a problem with our Website;
  5. Information you provide in connection with using the Website and/or Software, including records of products or services purchased, obtained, or considered and other property-related information (including where a property is located (city and state), owner information, and other property-related information (such as the amount and breakdown of rent owed)) and, to the extent you voluntarily provide such information, age, race, color, ancestry, national origin, citizenship, religion, marital status, medical condition, physical or mental disability, sex, sexual orientation, gender identity/expression, and veteran or military status;
  6. Browsing history, search history, IP address, device identifiers, browser type, and referring URLs;
  7. General geolocation data derived from IP address (we do not collect precise geolocation without your explicit consent);
  8. Other sensory or electronic data, including audio, electronic, or visual information, such as call recordings where permitted by law;
  9. Credit card or other payment account information, which may be required when using our Software, or our Website or Services;
  10. Other “sensitive personal information,” which we collect only with your consent and which may include social security, driver’s license, or passport number; account log-in credentials with required security codes; financial account, debit card, or credit card numbers with security credentials; precise geolocation; racial or ethnic origin; religious beliefs; or union membership; and
  11. Information, data, and files that you submit or upload to the Software in connection with one or more properties, such as lease agreements, rent ledgers, and the like.

3.2 How We Collect Information

3.2.a  Direct Collection

We collect information directly from you, when you:

  • Register for an account or create a profile;
  • Purchase or subscribe to our products or Services;
  • Fill in forms on our Website;
  • Request information, customer support, or technical assistance;
  • Respond to surveys or participate in promotions; and/or
  • Communicate with us by phone, email, or other means.

3.2.b  Automatic Collection

We also collect information automatically, including through one or more of the following technologies:

  • Cookies. Cookies are small data files that are placed on the hard drive of your computer, which enables a website to recognize the computer or user each time the user returns to the Website. We may set one or more cookies in your browser when you visit our Website to improve the quality of our Website, store user preferences, and track user trends. In addition, we may also use advertising cookies to help advertisers and publishers serve and manage ads across the web. Most browsers now automatically accept cookies by default, but they can also be set so that all or some cookies are rejected automatically or are accepted or rejected on a case-by-case basis at the user’s option. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.
  • Flash Cookies. Certain features of our Website may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Website. Flash cookies are not managed by the same browser settings as are used for browser cookies.
  • Web Beacons. Pages of our Website may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, or single-pixel gifs), which allows us to count the number of users: i) who have visited certain pages of our Website; ii) opened emails we may send about our Services, new products, or other updates; and/or iii) collect web related statistics (such as, for example, recording the popularity of certain content on our Website).
  • Log Files. Server logs recording IP address, browser type, referring/exit pages, timestamps, and clickstream data.
  • Analytics Tools. Third-party analytics providers (e.g., Google Analytics) that collect and analyze usage information.

3.2.c From Third Parties.

We may also collect information from third parties, including business partners, data brokers, and advertising networks; social media platforms; and other publicly available sources.

4. HOW WE USE YOUR INFORMATION

We use the information we collect to:

  • Present and make available our Website, Software, and Services;
  • Process transactions and send related confirmations and invoices;
  • Create, maintain, customize, and secure your account;
  • Provide customer support and respond to inquiries;
  • Send technical notices, updates, and security alerts;
  • Send promotional communications (you may opt out at any time);
  • Personalize your experience and deliver relevant content;
  • Conduct research, analytics, and reporting to improve our Services;
  • Monitor and analyze usage patterns and trends;
  • Detect, investigate, and prevent fraud, abuse, and security incidents;
  • Comply with applicable legal obligations; and
  • For any other purpose disclosed to you at the time you provide your information.

We do not sell your Personal Information to third parties for money. However, some analytics, advertising, or tracking technologies may be considered a “sale,” “sharing,” or processing for targeted advertising under certain state laws. Where required, we provide opt-out rights. We may use the information we have collected from you to enable us to display advertisements to our advertisers’ target audiences. Even though we do not disclose your Personal Information for these purposes without your consent, if you click on or otherwise interact with an advertisement, the advertiser may assume that you meet its target criteria.

5. DISCLOSURE OF YOUR INFORMATION

We may disclose aggregated or de-identified information without restriction. We may disclose Personal Information (including aggregated information about our users):

  • To Affiliates and Subsidiaries. Subject to this Policy;
  • To Service Providers / Processors. Third-party vendors performing services on our behalf (e.g., payment processing, hosting, analytics). These parties are authorized to use Personal Information only as necessary to provide services to us;
  • To Business Partners. With your consent, or to fulfill a jointly requested product or service;
  • For Business Transfers. In connection with any merger, sale, financing, or acquisition of our business;
  • For Legal and Compliance Purposes. To comply with law, enforce our agreements, or protect rights and safety; and
  • With Your Consent. In any other way with your explicit consent and/or to fulfill the purpose for which you provided it; and

We do not knowingly sell or share the Personal Information of minors under 18 years of age without affirmative authorization.

We strive to provide you with choices regarding the Personal Information you provide to us. We have created mechanisms to provide you with the following control over your information:

  1. Tracking Technologies.You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. To learn how you can manage your Flash cookie settings, visit the Flash player settings page on Adobe’s website. If you disable or refuse cookies, please note that some parts of our Website may then be inaccessible or not function properly.
  2. Disclosure of Your Information to Third-Parties.We will not interface with a third party on your behalf or disclose information about you to a third party without your expressed consent. If you do not want us to share your any information about you, including Personal Information with unaffiliated or non-agent third parties, then you can opt-out by not providing your consent and/or by sending us an email with your request to support@cssservicesinc.com.
  3. Promotional Offers from the CSS.If you do not wish to have your email address/contact information used by the CSS to promote our own or third parties’ products or services, you can opt-out by sending us an email stating your request to support@cssservicesinc.com.
  4. THIRD-PARTY ADVERTISING AND TRACKING

Some content or applications, including advertisements, on the Website may be served by third-parties, including advertisers, ad networks and servers, content providers, and application providers. These third-parties may use cookies (along or in conjunction with web beacons or other tracking technologies) to collect information about you when you use our Website. The information they collect may be associated with your Personal Information or they may collect information, including personal data, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.  You can learn more about opting out of such advertising at the following links: NAI Opt-Out; DAA Opt-Out; and/or Google Analytics Opt-Out.  We support the Global Privacy Control (GPC) opt-out preference signal where required by applicable law.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your Personal Information will be handled by these providers.

Once you leave our Website and/or are redirected to a third-party website or application, you are no longer governed by this Policy.

  1. COOKIES AND “DO NOT TRACK”

Our Website uses first-party and third-party cookies. You may control cookie preferences through your browser settings. At this time, our Website does not respond to “Do Not Track” browser signals, but we do honor the GPC signal as required in applicable jurisdictions.

  1. DATA RETENTION

We retain Personal Information for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements. When Personal Information is no longer required, we securely delete or anonymize it.

  1. DATA SECURITY

We have implemented commercially reasonable technical, administrative, and physical measures to secure your Personal Information from unauthorized access, use, alteration, and disclosure. These include encryption of data in transit using SSL/TLS, restricted access on a need-to-know basis, regular security assessments, employee training, and incident response procedures.

We have implemented measures designed to secure your Personal Information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on our secure servers behind redundant firewalls in an ISO 9001 certified data center.

The safety and security of your information is important to us. To ensure your Personal Information is secure, our database serves have no direct connection to the Internet. Also, physical access of our database serves is subject to badge, biometric (fingerprint), and physical key access restrictions. Likewise, network access to the servers requires VPN access employing 2 Factor Authentication and Public/Private Key validation

In addition, all data entry and display are transmitted over SSL, where SSL robustness is routinely validated using Qualys SSL Labs. Social Security numbers are encrypted using AES256 encryption and scrubbed when no longer needed. Backups are encrypted using AES256 encryption and stored in a secure storage facility (Carbonite). The web application is routinely subjected to vulnerability scans and web application scanning. Finally, security patches are routinely applied to production and development servers

Please note that we do not currently receive or store any credit card information.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. Lastly, we use reasonable efforts to make sure our data processors are GDPR-compliant.

Unfortunately, the transmission of information via the internet is not completely secure; however, we follow all PCI-DSS requirements and implement additional generally accepted industry standards to protect your Personal Information; however, we cannot guarantee the security of your Personal Information transmitted to our Website. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

No method of transmission over the Internet is 100% secure. Any transmission of Personal Information is at your own risk. If you believe your interaction with us is no longer secure, contact us immediately at our phone number set forth herein.

  1. CHILDREN’S PRIVACY

Our Website and Services are not directed to children under the age of 13, and we do not knowingly collect Personal Information from children under 13. If we learn we have collected Personal Information from a child under 13 without parental consent, we will delete it promptly. Contact us at support@cssservicesinc.com if you believe we have information about a child under 13.

For users ages 13–17: We will not sell or share Personal Information of users we know are between 13 and 17 years old without affirmative authorization.

We comply with the Children’s Online Privacy Protection Act (COPPA) and applicable state laws protecting minors.

  1. LINKS TO THIRD-PARTY WEBSITES

Our Website may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to review their privacy notices when you leave our Website.

  1. INTERNATIONAL USERS

Our Website is operated in the United States. By using our Website, you consent to the transfer of your information to the United States, where data protection laws may differ from those in your country.

  1. CHANGES TO THIS PRIVACY POLICY

We reserve the right to amend this Policy at any time with an updated “Last Updated” date. For material changes, we will post a notice on our Website and/or notify you by email. Your continued use after changes constitutes acceptance.

  1. YOUR PRIVACY RIGHTS — GENERAL

Depending on your jurisdiction, you may have the right to:

  • Access/Know. Request information about Personal Information we hold about you;
  • Correction/Rectification. Request correction of inaccurate Personal Information;
  • Deletion/Erasure. Request deletion of your Personal Information;
  • Data Portability. Receive a portable copy of your Personal Information;
  • Opt-Out of Sale / Sharing. Opt out of the sale or sharing of your Personal Information;
  • Opt-Out of Targeted Advertising. Opt out of targeted advertising;
  • Opt-Out of Profiling. Opt out of certain automated profiling decisions;
  • Limit Sensitive Data Processing. Request limits on sensitive Personal Information use; and
  • Non-Discrimination. Not receive discriminatory treatment for exercising your privacy rights.

To submit a request or ask a question:

Email: support@cssservicesinc.com
Phone: (770) 491-0522
Website: https://cssservicesinc.com

 

We will verify your identity before fulfilling any request and respond within the timeframes required under applicable law. We will not discriminate against you for exercising your rights. Authorized agents may submit requests on your behalf with proof of authority.

  1. STATE-SPECIFIC PRIVACY RIGHTS

Notwithstanding any other provision herein to the contrary, the following state-specific privacy rights apply as indicated based upon your state of residency:

FOR RESIDENTS OF CALIFORNIA ONLY

California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA); Cal. Civ. Code §§ 1798.100–1798.199.100; California Online Privacy Protection Act (CalOPPA); California Shine the Light Law (Cal. Civ. Code § 1798.83)

Applicability: CCPA/CPRA applies to businesses with annual gross revenues exceeding $26.625M; OR that buy, sell, or share PI of 100,000+ California residents or households; OR that derive 50%+ of annual revenue from selling or sharing California residents’ PI.

Categories of Personal Information Collected in the Last 12 Months:

  • Identifiers (name, postal address, IP address, email address, account name);
  • Personal information under Cal. Civ. Code § 1798.80;
  • Commercial information;
  • Internet or electronic network activity information;
  • Geolocation data; and
  • Inferences drawn from the above.

“Do Not Sell or Share My Personal Information”: You have the right to opt out of the sale or sharing of your Personal Information. To exercise this right:

  • Click the “Do Not Sell or Share My Personal Information” link in our Website footer; or
  • Contact us at support@cssservicesinc.com with “California Opt-Out Request” in the subject.

We honor Global Privacy Control (GPC) signals as valid opt-out preference signals.

“Limit the Use of My Sensitive Personal Information”: Click “Your Privacy Choices” in our Website footer or contact us at support@cssservicesinc.com.

Your Rights:

  1. Right to Know. Categories and specific pieces of Personal Information collected; sources; purposes; third-party disclosures;
  2. Right to Delete. Request deletion of Personal Information we hold;
  3. Right to Correct. Request correction of inaccurate Personal Information;
  4. Right to Data Portability. Receive Personal Information in a portable format;
  5. Right to Opt-Out of Sale or Sharing;
  6. Right to Limit Sensitive Personal Information Use;
  7. Right to Non-Discrimination; and
  8. Right Regarding Automated Decision-Making (ADMT) (effective January 1, 2027). Opt out of ADMT used for significant decisions affecting employment, housing, financial services, and healthcare.

Response Timeframe: Opt-out requests: 15 business days. All other requests: 45 calendar days (extendable 45 days with notice).

Shine the Light: California residents may request information about PI disclosed to third parties for direct marketing once per year. Email support@cssservicesinc.com with “Shine the Light Request” in the subject.

Financial Incentives: We do not offer financial incentives in exchange for Personal Information.

FOR RESIDENTS OF VIRGINIA ONLY

Virginia Consumer Data Protection Act (VCDPA); Va. Code Ann. §§ 59.1-571 to 59.1-585; amended by SB 854, effective January 1, 2026

Applicability: VCDPA applies to entities that control or process Personal Information of 100,000+ Virginia residents/year; or 25,000+ Virginia residents + 50%+ revenue from sale of Personal Information.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale of personal data, and profiling for legal or similarly significant effects.

Sensitive Data: We process sensitive data only with your prior opt-in consent.

Response Timeframe: 45 calendar days (extendable 45 days with notice).

Appeal: You have 60 days to appeal a denial. Email support@cssservicesinc.com with “Virginia Privacy Appeal” in the subject. If your appeal is denied, contact the Virginia AG at https://www.oag.state.va.us/.

FOR RESIDENTS OF COLORADO ONLY

Colorado Privacy Act (CPA); C.R.S. §§ 6-1-1301 to 6-1-1313; amended by SB 25-276, effective May 23, 2025

Applicability: CPA applies to entities that control or process Personal Information of 100,000+ Colorado residents/year; or 25,000+ Colorado residents + revenue or discount from sale of Personal Information.

Your Rights:

  1. Opt out of targeted advertising, sale, and profiling for consequential decisions;
  2. Access personal data;
  3. Correct inaccurate personal data;
  4. Delete personal data; and
  5. Obtain a portable copy.

Universal Opt-Out: We honor Global Privacy Control (GPC) signals as valid opt-out signals.

Sensitive Data: Opt-in consent required.

Response Timeframe: 45 calendar days (extendable 45 days with notice).

Appeal: If we decline your request, you may appeal. If the appeal is denied, contact the Colorado AG at https://coag.gov/.

FOR RESIDENTS OF CONNECTICUT ONLY

Connecticut Data Privacy Act (CTDPA); Conn. Gen. Stat. §§ 42-515 to 42-525; amended by SB 1295, most provisions effective July 1, 2026

Applicability: CTDPA applies to entities that control or process Personal Information of 35,000+ Connecticut consumers; or 25,000+ consumers + 25%+ revenue from sale of Personal Information.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccurate personal data;
  3. Delete personal data;
  4. Obtain a portable copy;
  5. Opt out of targeted advertising, sale, and profiling; and
  6. Obtain a list of specific third parties to whom we have disclosed your personal data.

Universal Opt-Out: We honor GPC signals.

Minors: We do not knowingly sell the personal data of consumers whom we know or should know are under 18 years of age or process their personal data for targeted advertising.

Sensitive Data: Opt-in consent required.

Response Timeframe: 45 calendar days (extendable 45 days with notice).

Appeal: You may appeal within 60 days. Email support@cssservicesinc.com with “Connecticut Privacy Appeal” in the subject.

FOR RESIDENTS OF UTAH ONLY

Utah Consumer Privacy Act (UCPA); Utah Code Ann. §§ 13-61-101 to 13-61-404; amended by HB 418, effective July 1, 2026

Applicability: UCPA applies to entities with annual revenue ≥ $25M that process Personal Information of 100,000+ Utah consumers; or 25,000+ Utah consumers + 50%+ revenue from sale of Personal Information.

Your Rights:

  1. Confirm and access personal data;
  2. Delete personal data you provided;
  3. Obtain a portable copy; and
  4. Opt out of sale of personal data and targeted advertising.

Note: Utah law does not currently provide a right to correct data.

Sensitive Data: Opt-out mechanism (you may opt out of sensitive data processing).

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF TEXAS ONLY

Texas Data Privacy and Security Act (TDPSA); Tex. Bus. & Com. Code §§ 541.001–541.205; effective July 1, 2024; Texas Responsible Artificial Intelligence Governance Act; HB 149, effective January 1, 2026

Applicability: TDPSA applies to all entities doing business in Texas or targeting Texas residents, except SBA-defined small businesses, nonprofits, public higher education institutions, GLBA-covered entities, and HIPAA-covered entities.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling for significant decisions.

Universal Opt-Out: We honor universal opt-out mechanisms designated by the Texas AG, including GPC.

Sensitive Data: Opt-in consent required.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF FLORIDA ONLY

Florida Digital Bill of Rights (FDBR); Fla. Stat. §§ 501.701–501.721; effective July 1, 2024

Note: The FDBR applies only to entities with global annual revenues exceeding $1 billion that also meet additional criteria (operate a consumer smart speaker, operate an app store with 250,000+ apps, or derive 50%+ revenue from online advertising). If we do not meet these thresholds, this section is informational. For qualifying entities, Florida residents have rights to access, correct, delete, and obtain a copy of personal data; and to opt out of targeted advertising, sale, profiling, precise geolocation, voice recognition, and facial recognition.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF OREGON ONLY

Oregon Consumer Privacy Act (OCPA); ORS §§ 646A.570–646A.590; effective July 1, 2024

Applicability: OCPA applies to entities that control or process Personal Information of 100,000+ Oregon consumers/year; or 25,000+ Oregon consumers + 25%+ revenue from sale of Personal Information.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy;
  5. Opt out of targeted advertising, sale, and profiling; and
  6. Obtain a list of specific third parties to whom we have disclosed your personal data.

Minor Protection: We do not sell personal data of consumers we know are under 16 years of age.

Sensitive Data: Opt-in consent required.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF MONTANA ONLY

Montana Consumer Data Privacy Act (MCDPA); Mont. Code Ann. §§ 30-14-3201 to 30-14-3226; effective October 1, 2024; amended by SB 297, effective October 1, 2025

Applicability: MCDPA applies to entities that process Personal Information of 50,000+ Montana consumers/year (excluding payment-only data); or 25,000+ Montana consumers + 25%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling.

Sensitive Data: Opt-in consent required.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF IOWA ONLY

Iowa Consumer Data Protection Act (ICDPA); Iowa Code §§ 715D.1–715D.9; effective January 1, 2025

Applicability: ICDPA applies to entities that process Personal Information of 100,000+ Iowa consumers/year; or 25,000+ Iowa consumers + 50%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Delete personal data;
  3. Obtain a portable copy; and
  4. Opt out of targeted advertising, sale, and profiling.

Note: Iowa law does not currently provide a right to correct data.

Sensitive Data: Opt-out mechanism.

Response Timeframe: 90 calendar days.

FOR RESIDENTS OF DELAWARE ONLY

Delaware Personal Data Privacy Act (DPDPA); 6 Del. Code §§ 12D-101 to 12D-119; effective January 1, 2025

Applicability: DPDPA applies to entities that process Personal Information of 35,000+ Delaware consumers (excluding payment-only); or 10,000+ Delaware consumers + 20%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling.

Sensitive Data: Opt-in consent required.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF NEBRASKA ONLY

Nebraska Data Privacy Act (NDPA); Neb. Rev. Stat. §§ 87-401 to 87-416; effective January 1, 2025

Applicability: NDPA applies to entities that process Personal Information of 100,000+ Nebraska consumers; or 25,000+ Nebraska consumers + 25%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling.

Sensitive Data: Opt-in consent required.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF NEW HAMPSHIRE ONLY

New Hampshire Expectation of Privacy Act; RSA 507-H:1 to 507-H:12; effective January 1, 2025

Applicability: Applies to entities that process Personal Information of 35,000+ New Hampshire consumers (excluding payment-only); or 10,000+ New Hampshire consumers + 25%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling.

Sensitive Data: Opt-in consent required.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF NEW JERSEY ONLY

New Jersey Data Privacy Act (NJDPA); N.J. Stat. §§ 56:8-166.4 et seq.; effective January 15, 2025

Applicability: NJDPA applies to entities that process Personal Information of 100,000+ New Jersey consumers (excluding payment-only); or 25,000+ New Jersey consumers + 25%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling.

Sensitive Data: Opt-in consent required. Financial information is treated as sensitive data under the NJDPA.

Minors: We obtain opt-in consent before processing personal data of consumers we know are 13–17 years of age for targeted advertising or data sale.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF TENNESSEE ONLY

Tennessee Information Protection Act (TIPA); Tenn. Code Ann. §§ 47-18-3201 to 47-18-3232; effective July 1, 2025

Applicability: TIPA applies to entities with annual revenue > $25M that process Personal Information of 175,000+ Tennessee consumers; or 25,000+ Tennessee consumers + 50%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling.

Sensitive Data: Opt-in consent required.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF MINNESOTA ONLY

Minnesota Consumer Data Privacy Act (MCDPA); Minn. Stat. §§ 325O.01–325O.17; effective July 31, 2025

Applicability: Applies to entities that process Personal Information of 100,000+ Minnesota consumers; or 25,000+ Minnesota consumers + 25%+ revenue from sale.

Your Rights:

  1. Access, Correction, Deletion, Portability;
  2. Opt-Out of Targeted Ads/Sale/Profiling;
  3. Question the results of a profiling decision; and
  4. Obtain a list of specific third parties to whom we disclosed your personal data.

Sensitive Data: Opt-in consent required.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF MARYLAND ONLY

Maryland Online Data Privacy Act (MODPA); Md. Code Ann., Com. Law §§ 14-4601 to 14-4626; effective October 1, 2025

Applicability: MODPA applies to entities that process Personal Information of 35,000+ Maryland consumers (excluding payment-only); or 10,000+ Maryland consumers + 20%+ revenue from sale.

Your Rights: Access, Correction, Deletion, Portability, Opt-Out of Targeted Ads/Profiling; Categories of third parties.

Important Maryland-Specific Rules:

  • We do not sell sensitive data. Maryland law prohibits the sale of sensitive personal data entirely.
  • We do not process sensitive data except as strictly necessary to provide a product/service you requested.
  • We do not process personal data for targeted advertising or profiling using data of known minors under 18.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF INDIANA ONLY

Indiana Consumer Data Protection Act (INCDPA); Ind. Code §§ 24-15-1-1 to 24-15-7-3; effective January 1, 2026

Applicability: Applies to entities that process Personal Information of 100,000+ Indiana consumers; or 25,000+ Indiana consumers + 50%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling.

Sensitive Data: Opt-in consent required.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF KENTUCKY ONLY

Kentucky Consumer Data Protection Act (KCDPA); KRS §§ 367.900–367.924; effective January 1, 2026

Applicability: Applies to entities that process Personal Information of 100,000+ Kentucky consumers; or 25,000+ Kentucky consumers + 50%+ revenue from sale.

Your Rights:

  1. Confirm and access personal data;
  2. Correct inaccuracies;
  3. Delete personal data;
  4. Obtain a portable copy; and
  5. Opt out of targeted advertising, sale, and profiling.

Sensitive Data: Opt-in consent required.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF RHODE ISLAND ONLY

Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA); R.I. Gen. Laws §§ 6-48.1-1 to 6-48.1-17; effective January 1, 2026

Applicability: Applies to entities that process Personal Information of 35,000+ Rhode Island consumers; or 10,000+ Rhode Island consumers + 20%+ revenue from sale.

Your Rights: Access, Correction, Deletion, Portability, Opt-Out of Targeted Ads/Sale/Profiling; Right to revoke consent within 15 calendar days.

Sensitive Data: Opt-in consent required.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (15 days for consent revocation).

FOR RESIDENTS OF NEVADA ONLY

Nevada Revised Statutes §§ 603A; SB 220 (Sales Opt-Out Law); as amended

All operators of commercial websites who collect covered information from Nevada residents are covered. “Covered information” includes name combined with SSN, driver’s license, financial account credentials, medical/health insurance information, email address with password, or passport number.

Your Right: You have the right to opt out of the sale of your covered Personal Information.

To exercise this right: Email support@cssservicesinc.com with “Nevada Opt-Out Request” in the subject, or submit an online form at our Website.

We will respond to verified opt-out requests within 60 days (extendable by 30 days with notice).

FOR RESIDENTS OF WASHINGTON STATE ONLY

Washington My Health My Data Act (MHMD Act); RCW ch. 70.372; effective March 31, 2024 (large entities); June 30, 2024 (small businesses)

Washington does not have an omnibus comprehensive consumer privacy law. However, the My Health My Data (MHMD) Act provides strong protections for consumer health data — broadly defined to include information about physical or mental health conditions, health care services, diagnoses, reproductive/sexual health, biometric data, disability status, and precise location data that could indicate a health condition.  Given the nature of our business, we do not typically collect, store, or maintain such data.

Coverage: No consumer data processing thresholds — if you collect consumer health data from Washington residents, you are likely covered.

Your Washington Health Data Rights:

  1. Confirm whether we collect your consumer health data and access it;
  2. Withdraw consent for processing consumer health data;
  3. Request deletion of consumer health data; and
  4. Not be discriminated against for exercising your rights.

Our Health Data Obligations:

  • We obtain opt-in consent before collecting or sharing consumer health data (except for necessary services);
  • We obtain separate written authorization before selling consumer health data;
  • We do not geofence within 2,000 feet of healthcare facilities;
  • We maintain reasonable data security including need-to-know access restrictions.

Enforcement: Washington AG and private individuals may bring suit under the Washington Consumer Protection Act.

To Submit Requests: Email support@cssservicesinc.com with “Washington Health Data Request” in the subject.

FOR RESIDENTS OF ILLINOIS ONLY

Illinois Biometric Information Privacy Act (BIPA); 740 ILCS 14/1 et seq.; Illinois Personal Information Protection Act (PIPA); 815 ILCS 530/

Biometric Data Practices

We do not collect biometric identifiers or biometric information as defined under BIPA.

Data Breach Notification: In the event of a security breach, we will notify Illinois residents and the Illinois AG in accordance with PIPA.

FOR RESIDENTS OF OKLAHOMA ONLY

Oklahoma Act Relating to Data Privacy (SB 546); effective January 1, 2027

Applicability: Applies to entities that process Personal Information of 100,000+ Oklahoma consumers; or 25,000+ Oklahoma consumers + majority of revenue from data sales.

Your Rights (effective January 1, 2027):

  1. Access, Correction, Deletion, Portability; and
  2. Opt out of sale of personal data, targeted advertising, and certain profiling.

Sensitive Data: Opt-in consent required.

Response Timeframe: 45 calendar days.

FOR RESIDENTS OF ALABAMA ONLY

Alabama Personal Data Protection Act (APDPA; HB 351); effective May 1, 2027

Applicability: Applies to entities that process Personal Information of 25,000+ Alabama consumers; or derive 25%+ of gross revenue from sale of Personal Information.

Your Rights (effective May 1, 2027):

  1. Access, Correction, Deletion, Portability; and
  2. Opt out of sale of personal data, targeted advertising, and certain profiling.

Sensitive Data: Opt-in consent required.

Opt-Out Signals: We honor opt-out preference signals.

Response Timeframe: 45 calendar days (with mandatory 45-day cure period for businesses; no sunset on cure).

FOR RESIDENTS OF LOUISIANA ONLY

Louisiana Data Privacy Act (LDPA; SB 386); signed May 29, 2026; effective January 1, 2027

Applicability: Applies to entities with annual gross revenue > $25M; OR that process Personal Information of 75,000+ Louisiana residents; OR derive 50%+ revenue from sale of Personal Information.

Your Rights (effective January 1, 2027): Access, Correction, Deletion, Portability, and Opt-Out rights consistent with national standards.

Special Disclosure: If we sell sensitive or biometric data, we are required to prominently display: “NOTICE: We may sell your sensitive personal data” and/or “NOTICE: We may sell your biometric data” — as applicable.

Sensitive Data: Opt-in consent required.

Response Timeframe: To be determined by regulation.

FOR RESIDENTS OF VERMONT ONLY

Vermont Data Privacy and Online Surveillance Act (VDPOSA; SB 71); signed June 16, 2026; effective January 1, 2028

Applicability: Applies to entities that process Personal Information of 35,000+ Vermont residents; OR sensitive PI of 3,000+ Vermont residents; OR sell PI of 3,000+ Vermont residents.

Your Rights (effective January 1, 2028):

  1. Access, Correction, Deletion, Portability;
  2. Opt-Out of Sale/Targeted Ads/Profiling;
  3. Question profiling results;
  4. Obtain a list of third parties who received your personal data; and
  5. Know whether your personal data is used for training AI large language models.

Data Minimization: Controllers must limit data collection to what is reasonably necessary.

Sensitive Data: Opt-in consent required; sale of sensitive data restricted.

Universal Opt-Out: We honor GPC signals.

Response Timeframe: 45 calendar days (extendable 45 days).

FOR RESIDENTS OF PUERTO RICO ONLY

Puerto Rico Citizen Information on Data Banks Security Act (Act No. 111 of 2005; 10 P.R. Laws Ann. §§ 4051–4055); Puerto Rico Constitution Art. II, § 8 (Right to Privacy); Puerto Rico Cybersecurity Act (Act No. 40 of 2024)

Constitutional Right to Privacy: Puerto Rico’s Constitution establishes privacy as a fundamental right enforceable between private parties.

Data Breach Notification:

  1. We notify affected individuals as expeditiously as possible upon discovering a breach;
  2. We notify the Puerto Rico Department of Consumer Affairs (DACO) within 10 days of detecting a breach; and
  3. DACO will make a public announcement within 24 hours of receiving our notice.

Data Security: Pursuant to Act No. 40 of 2024, we maintain security measures including encryption consistent with NIST standards.

Pending Comprehensive Law: Puerto Rico House Bill 1548, which would create GDPR/CCPA-style protections, has passed the Puerto Rico Senate (November 2023) but has not yet been signed into law. We will update this Policy when it becomes effective.

FOR RESIDENTS OF THE DISTRICT OF COLUMBIA ONLY

D.C. Code §§ 28-3851 to 28-3854 (Security Breach Notification Act); as amended

The District of Columbia does not have a comprehensive omnibus consumer privacy law. However, DC’s amended breach notification law:

  1. Expands “personal information” to include taxpayer IDs, passports, military IDs, medication information, genetic information, biometric information, and health insurance information;
  2. Requires 18 months of identity theft protection for breaches exposing SSNs or taxpayer ID numbers;
  3. Requires notification to the DC Attorney General for breaches affecting 50 or more DC residents; and
  4. Requires businesses to implement reasonable data security safeguards.

In the event of a breach, we will notify affected DC residents and the DC AG as required.

FOR RESIDENTS OF NEW YORK ONLY

New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act); N.Y. Gen. Bus. Law § 899-aa and § 899-bb; effective March 21, 2020

New York does not currently have a comprehensive omnibus consumer privacy law. However, the NY SHIELD Act requires:

  1. All entities that own or license computerized private information of New York residents to implement and maintain reasonable administrative, technical, and physical safeguards;
  2. “Private information” includes name + SSN, driver’s license, financial account credentials, biometric data, email with password, and medical/health insurance information;
  3. Notification to affected residents without unreasonable delay in the event of a breach; and
  4. Notification to the New York AG, Department of State, Division of State Police, and Division of Consumer Protection if a breach affects more than 500 New York residents.

FOR RESIDENTS OF MASSACHUSETTS ONLY

Massachusetts Standards for the Protection of Personal Information (201 CMR 17.00); M.G.L. ch. 93H

Massachusetts requires all entities that own or license Personal Information of Massachusetts residents to implement and maintain a Written Information Security Program (WISP) with administrative, technical, and physical safeguards appropriate to the size and nature of the business and the information stored.

We maintain a WISP consistent with 201 CMR 17.00 and will notify Massachusetts residents and the Massachusetts AG in the event of a data breach in accordance with M.G.L. ch. 93H.

FOR RESIDENTS OF MAINE ONLY

Maine Act to Protect the Privacy of Online Consumer Information (26 M.R.S. §§ 9301–9302); effective July 1, 2020

If we are an Internet Service Provider operating in Maine, we comply with Maine’s ISP privacy law: we will not use, sell, disclose, or permit access to your customer Personal Information without your express affirmative consent, and we will not condition provision of service on your consent to such use.

  1. FOR RESIDENTS OF ALL OTHER STATES

All 50 U.S. states have enacted data breach notification laws. For residents of Alaska, Arizona, Arkansas, Georgia, Hawaii, Idaho, Kansas, Michigan, Mississippi, Missouri, New Mexico, North Carolina, North Dakota, Ohio, Pennsylvania, South Carolina, South Dakota, West Virginia, Wisconsin, Wyoming, and any other state not covered by a specific section above:

In the event of a data breach affecting your unencrypted Personal Information, we will notify you in accordance with your state’s breach notification law. Notification will be provided as expeditiously as reasonably possible and within the timeframe required by your state’s law. We will notify state attorneys general, regulatory agencies, and other authorities as required.

Regardless of your state’s law, we are committed to: collecting only minimum necessary Personal Information; not selling your Personal Information without disclosure; providing you a reasonable opportunity to request access to, correction of, or deletion of your Personal Information (contact support@cssservicesinc.com); maintaining reasonable data security; and responding to privacy inquiries within 30 days.

  1. BIOMETRIC DATA — MULTI-STATE NOTICE

Several states regulate biometric data beyond Illinois (including Texas, Washington, Arkansas, and others). We do not collect, store, or otherwise maintain such data.

  1. MINORS’ PRIVACY — MULTI-STATE NOTICE

Beyond COPPA, multiple state laws provide heightened protection for minors. We:

  • Do not knowingly collect Personal Information from children under 13;
  • Do not sell or share Personal Information of minors ages 13–17; and
  • Honor parental consent requirements for the collection of personal data from known children.
  1. CONTACT US

To submit a request or ask a question:

Email: support@cssservicesinc.com
Phone: (770) 491-0522
Website: https://cssservicesinc.com

To revoke any consent provided hereunder:

Send an e-mail to support@cssservicesinc.com with the subject line “Consent Revocation” and a short explanation of the specific consent you are revoking.

You must indicate your state of residence in all privacy-related communications so we may apply the correct legal framework and respond within the timeframe required by your state’s law.

This Privacy Policy was last updated on June 30, 2026. Laws for Oklahoma (effective January 1, 2027), Alabama (effective May 1, 2027), Louisiana (effective January 1, 2027), and Vermont (effective January 1, 2028) are included because their laws are already signed. Additional rights described herein for those states will become enforceable on those effective dates. We will continue to update this Policy as new laws take effect.

This Policy is designed for general informational compliance purposes. It does not constitute legal advice. Consult a licensed attorney in your jurisdiction before relying on this Policy.